CVE-2016-6445

EUVD-2016-7368
A vulnerability in the Extensible Messaging and Presence Protocol (XMPP) service of the Cisco Meeting Server (CMS) before 2.0.6 and Acano Server before 1.8.18 and 1.9.x before 1.9.6 could allow an unauthenticated, remote attacker to masquerade as a legitimate user. This vulnerability is due to the XMPP service incorrectly processing a deprecated authentication scheme. A successful exploit could allow an attacker to access the system as another user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
ciscomeeting_server
1.8.15
ciscomeeting_server
1.8_base:_base
ciscomeeting_server
1.9.0
ciscomeeting_server
1.9.2
ciscomeeting_server
2.0.0
ciscomeeting_server
2.0.1
ciscomeeting_server
2.0.3
ciscomeeting_server
2.0.4
ciscomeeting_server
2.0.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
http://www.securityfocus.com/bid/93517
http://www.securitytracker.com/id/1037000
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161012-msc
http://www.securityfocus.com/bid/93517
http://www.securitytracker.com/id/1037000